<format>
	<id company="Microsoft" name="ETW"></id>
	<description>Gets the messages from Enterprise Tracing for Windows trace log files (.etl files).</description>
	
	<logparser>
		<patterns>
			<pattern>*.etl</pattern>
		</patterns>

		<input name="ETW">
			<param name="fMode">Full</param>
		</input>

		<fields-config>
			<field name='Time'>TO_DATETIME(Timestamp, DEFAULT_DATETIME_FORMAT())</field>
			<field name='Thread'>ProcessID + '-' + ThreadID</field>
			<field name='Body' code-type='function'>
<![CDATA[StringBuilder ret = new StringBuilder();
ret.Append(EventTypeName);
int fixedETWFieldsCount = 20; // the amount of fixed ETW fields in Full mode (see LogParser documentation)
for (int i = fixedETWFieldsCount; i < INPUT_FIELDS_COUNT(); ++i) 
{
	string value = INPUT_FIELD_VALUE(i);
	if (!string.IsNullOrEmpty(value))
		ret.AppendFormat("; {0}={1}", INPUT_FIELD_NAME(i), value);
}
return ret.ToString();]]>
			</field>
			<field name='Event Number'>EventNumber</field>
			<field name='Event Name'>EventName</field>
			<field name='Event Description'>EventDescription</field>
			<field name='Event Version'>EventVersion</field>
			<field name='Event Type'>EventType</field>
			<field name='Event Type Description'>EventTypeDescription</field>
			<field name='Event Type Level'>EventTypeLevel</field>
		</fields-config>
	</logparser>
</format>